server.nix/services/ntfy.nix

{ config, ... }: {
  services = {
    # /var/lib/ntfy-sh
    ntfy-sh = {
      enable = true;
      settings = {
        listen-http = ":4006";
        base-url = "https://ntfy.catnip.ee";
      };
    };

    caddy.virtualHosts."ntfy.catnip.ee".extraConfig = ''
      tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1
      }

      reverse_proxy ${config.services.ntfy-sh.settings.listen-http}

      # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
      # it to work with curl without the annoying https:// prefix.
      @httpget {
          protocol http
          method GET
          path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
      }
      redir @httpget https://{host}{uri}
    '';

    borgbackup.jobs."borgbase".paths = [
      "/var/lib/ntfy-sh"
      "/var/lib/private/ntfy-sh"
    ];
  };
}